TACACS+ (the acronym of Terminal Access Controller Access Control System) is a proprietary protocol by Cisco Systems, Inc. and provides detailed accounting information and administrative control over authentication and authorization processes. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates these operations. Another difference is that TACACS+ utilizes the TCP protocol (port 49) while RADIUS Remote Authentication Dial In User Service uses the UDP User Datagram Protocol protocol.
To configure TACACS+ authentication, proceed as follows:
On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
Make the following settings:
Position: Select a position for the backend server. Backend servers with lower numbers will be queried first. For better performance, make sure that the backend server that is likely to get the most requests is on top of the list.
Server: Select or add a TACACS+ server. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Key: Enter the authentication and encryption key for all TACACS+ communication between Sophos UTM and the TACACS+ server. The value for the key to be entered here should match the one configured on the TACACS+ server. Enter the key (second time for verification).
Test server settings: Pressing the Test button performs a bind test with the configured server. This verifies that the settings on this tab are correct, and the server is up and accepts connections.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
Authenticate example user: Click the Test button to start the authentication test for the test user. This verifies that all server settings are correct, the server is up and accepting connections, and users can be successfully authenticated.
Optionally, make the following advanced settings:
Authentication timeout (sec): Enter the timeout for the communication with the server to support higher latency scenarios if you use third party authentication solutions.
The server will be displayed in the Servers list.